Using VACL to allow inbound connection to a server only but prevent that server from initiating connections

Hi,

   We have an old windows server that has special legacy application on it but our security team wants that server locked down , i.e.   Users can connect to it via telnet, ssh, RDP, etc....but that this server itself cannot connect to other servers and can't go out to the internet.   We have tried playing with the windows firewall which meets some of the security needs but we still have to lock it down on the network level, so that if someone gets hold of the admin account PW, they can disable the windows firewall but still can't connect to the outside world.

I have tried using cisco VACL  (we are using Version 12.2(52)SE,  and my relevant VACL statements are as follows:

ip access-list extended any_to_HC
 permit ip any host 192.168.1.2
 permit icmp any host 192.168.1.2
ip access-list extended HC_to_any
 permit ip host 192.168.1.2 any
 permit icmp host 192.168.1.2 any
!
-----------------------


vlan access-map VACL_isolate_HC 10
 action drop
 match ip address HC_to_any
vlan access-map VACL_isolate_HC 20
 action forward
 match ip address any_to_HC

------------

vlan filter VACL_isolate_HC vlan-list 1010

Open in new window


The server is sitting on this VLAN 1010.   What I noticed though is that it looks like VACL cannot *sense* established connections so that if you are trying to connect to it or even ping it,   even though perhaps inbound packets to the server are allowed, the VACL automatically blocks outgoing?

I also tried modifying the relevant access list clauses above to read:

 permit tcp host 192.168.1.2 any established

Open in new window


but it didn't have the desired effect

...would appreciate any suggestions on how my requirements can be achieved.

Thanks
rleyba828Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
In your established rule allow only ports greater than 1023 would cover many


Using an ACL only allowing

The other only allow ports of services that need to be accessed to respond.

what ports is the application on, .....
JustInCaseCommented:
VACL is usually used to block intervlan traffic, traffic between hosts in VLAN.

So if your server is in the same VLAN with other servers you can (to block traffic to other hosts in the same VLAN):
- permit traffic that need to be forwarded to default gateway
- drop all other traffic
example
Filtering all other traffic (to internet or any other destination) should be done by ACL, not VACL.
rleyba828Author Commented:
Hi team,   i have figured out a way.   The key was to have a separate clause for outbound connections from the quarantined server to allow established connections, and a separate clause from this server (blocked this time) where it would be inititating the connections.

ip access-list extended HC_to_any
 permit ip host 192.168.1.2 any


ip access-list extended HC_to_any_est
 permit ip host 192.168.1.2 any established
 permit icmp host 192.168.1.2 any
!
!
-----------------------


vlan access-map VACL_isolate_HC 10
 action forward
 match ip address HC_to_any_est

vlan access-map VACL_isolate_HC 20
 action drop
 match ip address HC_to_any


vlan access-map VACL_isolate_HC 30
 action forward


------------

vlan filter VACL_isolate_HC vlan-list 1010

Open in new window


* I just tried in my test lab and it seems to be working as I expected

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rleyba828Author Commented:
I found the answer myself.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.